Slides

Related content

Report a problem or upload files

If you have found a problem with this lecture or would like to send us extra material, articles, exercises, etc., please use our ticket system to describe your request and upload the data.
Enter your e-mail into the 'Cc' field, and we will keep you updated with your request's status.

Description

Over the past few decades, multiple methods for hiding data in on hard drives have been devised. Most of
these depend on unallocated space either between or within filesystems.
Since methods for hiding data may also be used by criminals, they are of interest to digital forensic
investigators. Tools used by investigators therefore usually support features which can be used to inspect data
within places where data may be hidden, such as deleted files, unallocated sectors or alternate data streams.
Widely available virtualization of and on personal computers can be used to support old software which might
otherwise not run on modern hardware. Virtualization is also essential in developing low-level software, such as operating systems, and is an essential component of all solutions for cloud computing. Virtualization
technologies are therefore widely used and will likely remain popular in the foreseeable future. With virtual
computers it is often more convenient to use files as virtual hard drives instead of physical disks. These files
are typically large, so data could potentially be hidden within them, depending on the virtual disk image
format.
We have analyzed the most popular virtual disk image file formats and devised three general approaches for
hiding data within such files. Two of these approaches allow large amounts of data to be hidden. The hidden
data is unlikely to be detected by current digital forensics tools. New techniques and procedures will have to
be developed to detect such data.
We have implemented one of the approaches which can be used to store practically unlimited amounts of
data in a library which is freely available